DEV Community: J.R. de Guzman

AWS Firewalls 101: Stateful vs. Stateless

J.R. de Guzman — Sun, 23 Jun 2024 05:44:30 +0000

AWS Firewalls 101: Stateful vs. Stateless

Hey there, fellow cloud enthusiast! Today, let's dive into the basics of stateful and stateless firewalls in AWS.
Firewalls are the unsung heroes of network security, keeping the bad stuff out while letting the good stuff in.
But did you know there are different types? Let's break it down.

Stateful Firewalls
Think of stateful firewalls as the smart gatekeepers of your network. They remember past interactions. If you let someone in, they remember and let them out too without you having to tell them again. This is super handy because you set fewer rules, and it keeps things simple.

Why They're Awesome:

Connection Savvy - They track ongoing connections, making life easier by allowing return traffic automatically.
Less Work - Fewer rules to manage means less hassle.

In AWS, Security Groups are your go-to stateful firewalls. It allows incoming traffic on port 80 for your web server, and the return traffic flows back out without additional configuration.

Stateless Firewalls
On the flip side, stateless firewalls are like diligent security guards checking every single packet without any memory of the past. They need explicit instructions for everything, both coming in and going out.

Why They're Cool:

Super Fast - They can handle lots of traffic quickly because they don't track connections.
Detailed Control - You get to set detailed rules for everything, giving you granular control.

AWS Network ACLs (Access Control Lists) are your typical stateless firewalls. You'll need to write specific rules for both inbound and outbound traffic, which gives you precise control but requires more setup.

In a nutshell, most AWS setups use a combination of both. Security Groups manage traffic to your instances, while Network ACLs add an extra layer of subnet-level control.

Let's have a quick demo on the next blog post about the concept of stateful and stateless firewalls.

Supercharging your Content Delivery with AWS CloudFront

J.R. de Guzman — Tue, 09 Jan 2024 07:04:42 +0000

In today’s digital-first world, the speed and security of content delivery are not just nice-to-haves but critical components of any successful online presence. Amazon Web Services (AWS) offers a solution to enhance the user experience with its fast and secure content delivery network (CDN) service, known as Amazon CloudFront.

What is Amazon CloudFront?

Amazon CloudFront is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. It delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so the content is delivered with the best possible performance. CloudFront is also used to protect your applications against common web exploits that might affect application availability, compromise security, or consume excessive resources.

Accelerating Content Delivery with Global Edge Locations and Regional Edge Caches

Amazon CloudFront ensures that users anywhere in the world can access online content quickly and securely.

It uses a global network of over 400 edge locations, which act as AWS points of presence. When a user requests content, CloudFront routes this request to the nearest edge location, optimizing speed and reducing latency.
Beyond these edge locations are regional edge caches, situated in 13 strategic regions. These caches offer an additional layer of caching and can store content for longer periods than individual edge locations, making them suitable for content that changes less frequently.
Together, these components work to deliver content efficiently from the origin server to the user, significantly improving the user experience for websites and web applications.

But CloudFront isn't just about speed. It also offers a range of security features to protect your applications and content. This includes AWS Shield Standard, which protects against DDoS attacks, and AWS Certificate Manager for managing SSL/TLS certificates. Additionally, you can integrate CloudFront with other AWS services such as Amazon S3, EC2, AWS WAF, and Lambda@Edge for a more robust web application setup.

By leveraging the power of Amazon CloudFront, businesses can ensure that their content is always available, secure, and delivered with the performance that today's internet users expect.

Understanding the Fundamentals of VPC Peering in AWS

J.R. de Guzman — Sat, 04 Nov 2023 17:07:01 +0000

Introduction

In AWS, Virtual Private Cloud (VPC) peering is a pivotal concept for architects and developers aiming to design interconnected network architectures. This blog explores the fundamentals of VPC peering, exploring what it is, how it works, and why it's essential for effectively managing cloud resources.

What is VPC peering?

VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. In AWS, VPCs are isolated sections of the cloud where you can define and control network environments. Peering, in essence, bridges these isolated environments, allowing for seamless integration without the data traversing the public internet.

How to set up a VPC peering

Setting up VPC peering involves a few steps:

Peering request - Initiate a peering request from the requester's VPC to the accepter's VPC, identifying each VPC by its ID and owner account.
Acceptance - The owner of the accepter VPC must accept the peering request for the connection to be established.
Route tables - Once accepted, both VPCs' route tables must be configured to direct traffic destined for the other VPC to the peering connection.
Security groups - Modify security groups and network access control lists (NACLs) to allow traffic between the VPCs if necessary.

Some best practices and considerations

When implementing VPC peering, keep the following best practices in mind:

IP address range - Ensure no overlapping CIDR blocks between peered VPCs to avoid route conflicts.
Scalability - For multiple VPC connections, consider using AWS Transit Gateway for better management and scalability.
Security - Regularly review security group and NACL rules to maintain a minimum required level of access.

In summary

VPC peering enhances the capability of VPCs by allowing private, secure, and direct networking communication between separate VPCs. It supports various architectural needs, from simple pairwise connections to more complex, multi-account collaborations. By mastering the fundamentals of VPC peering, you can leverage the full potential of AWS networking to build efficient, scalable, and secure cloud environments.

AWS Explained

J.R. de Guzman — Tue, 22 Aug 2023 18:44:47 +0000

In this blog, I will highlight more about the AWS categories, accessing AWS services, and AWS certifications.

Categories of AWS Services
AWS services fall under different categories, and each category contains one or more services. You can select the services that you want from these different categories to build your solutions.

Accessing AWS Services
You might wonder how to access the broad array of services that are offered by AWS. There are three ways to create and manage resources on the AWS Cloud:

AWS Management Console - The console provides a rich graphical interface to a majority of the features offered by AWS. (Note: From time to time, new features might not have all of their capabilities included in the console when the feature initially launches.)
AWS Command Line Interface (AWS CLI) - The AWS CLI provides a suite of utilities that can be launched from a command script in Linux, macOS, or Microsoft Windows.
Software Development Kits (SDKs) - AWS provides packages that enable accessing AWS in a variety of popular programming languages. This makes it easy to use AWS in your existing applications and it also enables you to create applications that deploy and monitor complex systems entirely through code.

Amazon Web Services (AWS) has several AWS certifications which will validate your technical skills and cloud expertise to grow your career and business.

There are four (4) level of AWS Certification namely:

Foundational - Knowledge-based certification for foundational understanding of AWS Cloud. No prior experience needed.
Associate - Role-based certifications that showcase your knowledge and skills on AWS and build your credibility as an AWS Cloud professional. Prior cloud and/or strong on-premises IT experience recommended.
Professional - Role-based certifications that validate advanced skills and knowledge required to design secure, optimized, and modernized applications and to automate processes on AWS. 2 years of prior AWS Cloud experience recommended.
Specialty - Dive deeper and position yourself as a trusted advisor to your stakeholders and/or customers in these strategic areas. Refer to the exam guides on the exam pages for recommended experience.

To learn more about AWS Certification, you may visit the AWS Certification web page.

What is Amazon Web Services (AWS)?

J.R. de Guzman — Mon, 21 Aug 2023 15:14:15 +0000

Before we go the definition of AWS, let's define first what are web services?

In general, a web service is any piece of software that makes itself available over the internet or on private (intranet) networks. A web service uses a standardized format—such as Extensible Markup Language (XML) or JavaScript Object Notation (JSON)—for the request and the response of an application programming interface (API) interaction. It is not tied to any one operating system or programming language. It’s self-describing via an interface definition file and it is discoverable.

What is Amazon Web Services (AWS)?

Amazon Web Services (AWS) is a secure cloud platform that offers a broad set of global cloud-based products.
AWS provides you with on-demand access to compute, storage, network, databases, analytics, networking, mobile, developer tools, management tools, IoT, security, and enterprise applications.
AWS offers flexibility. Your AWS environment can be reconfigured and updated on demand, scaled up or down automatically to meet usage patterns and optimize spending, or shut down temporarily or permanently.
You pay only for the individual services you need, for as long as you use them. The billing for AWS services becomes an operational expense instead of a capital expense. Later on this article, I will discuss the difference between the operational expense and capital expense.
AWS services are designed to work together to support virtually any type of application or workload. Think of these services like building blocks, which you can assemble quickly to build sophisticated, scalable solutions, and then adjust them as your needs change.

Advantages of cloud computing in AWS

Why are so many companies interested in moving to the cloud? This section presents six advantages of cloud computing.

Trade capital expense for variable expense - Capital expenses (capex) are funds that a company uses to acquire, upgrade, and maintain physical assets such as property, industrial buildings, or equipment. Do you remember the data center example in the traditional computing model where you needed to rack and stack the hardware, and then manage it all? You must pay for everything in the data center whether you use it or not. By contrast, a variable expense is an expense that the person who bears the cost can easily alter or avoid. Instead of investing heavily in data centers and servers before you know how you will use them, you can pay only when you consume resources and pay only for the amount you consume. Thus, you save money on technology. It also enables you to adapt to new applications with as much space as you need in minutes, instead of weeks or days. Maintenance is reduced, so you can spend focus more on the core goals of your business.
Benefit from massive economies of scale - By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices.
Stop guessing capacity - Eliminate guessing about your infrastructure capacity needs. When you make a capacity decision before you deploy an application, you often either have expensive idle resources or deal with limited capacity. With cloud computing, these problems go away. You can access as much or as little as you need, and scale up and down as required with only a few minutes’ notice.
Increase speed and agility - In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time it takes to make those resources available to your developers from weeks to just minutes. The result is a dramatic increase in agility for the organization because the cost and time that it takes to experiment and develop are significantly lower.
Stop spending money on running and maintaining data centers - Focus on projects that differentiate your business instead of focusing on the infrastructure. Cloud computing enables you to focus on your own customers instead of the heavy lifting of racking, stacking, and powering servers.
Go global in minutes - You can deploy your application in multiple AWS Regions around the world with just a few clicks. As a result, you can provide a lower latency and better experience for your customers simply and at minimal cost.

AWS Documentation

AWS provides extensive and detailed documentation for each AWS service. Guides and application programming interface (API) references are organized by service category.
AWS also offers general resources and tutorials that can be accessed from the AWS Documentation pages.
AWS technical papers and guides can be filtered by product, category, or industry, so you can find the information that's most relevant to your needs.

Learn more about AWS Documentation

Essentials of Cloud Computing

J.R. de Guzman — Mon, 21 Aug 2023 12:45:10 +0000

Types of cloud computing
There are three main cloud service models. Each model represents a different part of the cloud computing stack and gives you a different level of control over your IT resources:

Infrastructure as a Service (IaaS) - Services in this category are the basic building blocks for cloud IT and typically provide you with access to networking features, computers (virtual or on dedicated hardware), and data storage space. IaaS provides you with the highest level of flexibility and management control over your IT resources. It is the most similar to existing IT resources that many IT departments and developers are familiar with today.
Platform as a Service (PaaS) - Services in this category reduce the need for you to manage the underlying infrastructure (usually hardware and operating systems) and enable you to focus on the deployment and management of your applications. Some examples of PaaS are: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, Heroku, OpenShift, Magento, AWS Elastic Beanstalk, and others. There's more example of Platform as a Services (PaaS). The example I've mentioned will be enough to get you an idea what's in the PaaS cloud computing.
Software as a Service (SaaS) - Services in this category provide you with a completed product that the service provider runs and manages. In most cases, software as a service refers to end-user applications. With a SaaS offering, you do not have to think about how the service is maintained or how the underlying infrastructure is managed. You need to think only about how you plan to use that particular piece of software. A common example of a SaaS application is web-based email, where you can send and receive email without managing feature additions to the email product or maintaining the servers and operating systems that the email program runs on. Some examples of SaaS are: Slack, Workday, ServiceNow, Salesforce, HubSpot, Office365, and others.

In summary, as cloud computing has grown in popularity, several different models and deployment strategies have emerged to help meet specific needs of different users. Each type of cloud service and deployment method provides you with different levels of control, flexibility, and management.

Cloud computing deployment models

Cloud - A cloud-based application is fully deployed in the cloud, and all parts of the application run in the cloud. Applications in the cloud have either been created in the cloud or have been migrated from an existing infrastructure to take advantage of the benefits of cloud computing. Cloud-based applications can be built on low-level infrastructure pieces or they can use higher-level services that provide abstraction from the management, architecting, and scaling requirements of core infrastructure.
On-premises/Private Cloud - The deployment of resources on-premises, using virtualization and resource management tools, is sometimes called the “private cloud.” On-premises deployment doesn’t provide many of the benefits of cloud computing but is sometimes sought for its ability to provide dedicated resources. In most cases this deployment model is the same as legacy IT infrastructure while using application management and virtualization technologies to try and increase resource utilization.
Hybrid - A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud. The most common method of hybrid deployment is between the cloud and existing on-premises infrastructure to extend, and grow, an organization's infrastructure into the cloud while connecting cloud resources to the internal system.

Traditional Infrastructure and Amazon Web Services (AWS)

There are many similarities between AWS and the traditional, on-premises IT space:

AWS security groups, network access control lists (network ACLs), and AWS Identity and Access Management (IAM) are similar to firewalls, access control lists (ACLs), and administrators.
Elastic Load Balancing and Amazon Virtual Private Cloud (Amazon VPC) are similar to routers, network pipelines, and switches.
Amazon Machine Images (AMIs) and Amazon Elastic Compute Cloud (Amazon EC2) instances are similar to on-premises servers.
Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File System (Amazon EFS), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS) are similar to direct attached storage (DAS), storage area networks (SAN), network attached storage (NAS), and a relational database management service (RDBMS).

What is Cloud Computing?

J.R. de Guzman — Mon, 21 Aug 2023 09:08:39 +0000

In this blog, I will discuss what is cloud computing. Before we go to the technical definition of cloud computing, let's start with brief discussion on what can technology help in our lives.

Today, technology enables you to extend your activities beyond physical, geographical, and time limits. You live in the digital world, and technology plays an integral role in your life.

You use technology to get educated, shop online, keep track of your finances, secure your home, communicate with others, entertain yourself, and more.

We already know what can we get with the help of the technology. Now, let's move on the basic definition of cloud computing.

In its most basic definition, the cloud is a computer that is located somewhere else, accessed via the internet, and used in some way.
Web services is another name for what people call the cloud.

The cloud comprises server computers in large data centers in different locations around the world. People use the cloud for various things. Think storing data securely, sending emails, creating virtual computers, and building websites. Doctors might utilize the cloud to personalize patient treatments, banks could rely on it to quickly detect and prevent fraud, and gaming companies may use it to host online multiplayer games.

Cloud computing as it most technical definition is the on-demand delivery of compute power, database, storage, applications, and other IT resources via the internet with pay-as-you-go pricing. These resources run on server computers that are located in large data centers in different locations around the world. When you use a cloud service provider like Amazon Web Services (AWS), that service provider owns the computers that you are using. These resources can be used together like building blocks to build solutions that help meet business goals and satisfy technology requirements.

Who is using cloud computing?
Organizations of every type, size, and industry are using the cloud for a wide variety of use cases, such as data backup, disaster recovery, email, virtual desktops, software development and testing, big data analytics, and customer-facing web applications. For example, healthcare companies are using the cloud to develop more personalized treatments for patients. Financial services companies are using the cloud to power real-time fraud detection and prevention. And video game makers are using the cloud to deliver online games to millions of players around the world.

Benefits of cloud computing

Agility - The cloud gives you easy access to a broad range of technologies so that you can innovate faster and build nearly anything that you can imagine. You can quickly spin up resources as you need them–from infrastructure services, such as compute, storage, and databases, to Internet of Things, machine learning, data lakes and analytics, and much more.

You can deploy technology services in a matter of minutes, and get from idea to implementation several orders of magnitude faster than before. This gives you the freedom to experiment, test new ideas to differentiate customer experiences, and transform your business.
Elasticity - With cloud computing, you don’t have to over-provision resources up front to handle peak levels of business activity in the future. Instead, you provision the amount of resources that you actually need. You can scale these resources up or down to instantly grow and shrink capacity as your business needs change.
Cost savings - The cloud allows you to trade fixed expenses (such as data centers and physical servers) for variable expenses, and only pay for IT as you consume it. Plus, the variable expenses are much lower than what you would pay to do it yourself because of the economies of scale.
Deploy globally in minutes - with cloud computing, you can expand to new geographic regions and deploy globally in minutes. For example, AWS has infrastructure all over the world, so you can deploy your application in multiple physical locations with just a few clicks. Putting applications in closer proximity to end users reduces latency and improves their experience.

Here's a breakdown of key concepts of cloud computing for beginners:

Remote Servers - Instead of running programs or storing data on your personal computer or local servers, cloud computing allows you to use powerful computers located in data centers around the world. These servers are maintained by cloud service providers.
On-Demand Access - Cloud computing provides you with on-demand access to computing resources. You can easily scale up or down based on your needs. This flexibility is particularly useful when you need more resources for a short period of time.
Types of Cloud Services: I have a separate discussion with regards to the types of cloud services. You may check the Essentials of Cloud Computing blog post.
Cost-Efficiency - Cloud computing can be cost-effective because you pay only for the resources you use. There's no need to invest upfront in expensive hardware or infrastructure.
Scalability - Cloud services allow you to easily scale up or down based on your requirements. This is particularly useful for businesses with varying workloads or seasonal demands.
Data Backup and Disaster Recovery - Cloud providers typically offer data redundancy and backup solutions, ensuring your data is safe and easily recoverable in case of unexpected events.
Collaboration - Cloud computing enables easy collaboration as multiple users can access and work on the same files or applications from different locations.
Examples of Cloud Services - Common examples include Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, Dropbox, Google Drive, and Microsoft 365.
Security Considerations - While cloud providers invest in security measures, it's important to take steps to secure your data and applications as well. This may involve proper authentication, encryption, and access controls.
Internet Dependence - Since cloud computing relies on internet connectivity, a stable and reliable internet connection is crucial for accessing and using cloud services.

Overall, cloud computing offers convenience, flexibility, and cost savings for individuals and businesses by abstracting away the complexities of managing physical hardware and infrastructure.

All you need to know about EC2 Instance Connect Endpoint - Complete

J.R. de Guzman — Sun, 20 Aug 2023 13:48:22 +0000

In this blog, I will show you on how to connect to an EC2 instances in private subnet without requiring the instance to have a public IPv4 address and a key pair .

This new feature is called EC2 Instance Connect Endpoint. Before we go to the hands-on let's define first what is the EC2 Instance Connect Endpoint and I will mentioned some important setup before we can use it.

An EC2 Instance Connect Endpoint is simply allows you to connect to an instance without requiring the instance to have a public IPv4 address. You can connect to any instances that supports TCP.

To connect to an instance, you need only specify the instance ID. You can optionally provide the EC2 Instance Connect Endpoint.

Here's some limitation and pre-requisites that you need to know about EC2 Instance Connect Endpoint.

EC2 Instance Connect Endpoint doesn't support connections to an instance using IPv6 addresses.
When client IP preservation is enabled, the instance to connect to must be in the same VPC as the EC2 Instance Connect Endpoint
Client IP Preservation is not supported when traffic is routed through an AWS Transit Gateway.
The following instance types do not support client IP preservation: C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, and T1

Pre-requisites:

You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint.
The EC2 Instance Connect Endpoint must be in the Available (console) or create-complete (AWS CLI) state.
Ensure that the security group of the instance that you want to connect to is configured correctly for inbound traffic.
If you're using the AWS CLI, make sure that you have configured the AWS CLI, including that it uses, and that you're using the latest version of the AWS CLI. Note: If you're using an older version of AWS CLI, the EC2 Instance Connect Endpoint will not work. It only works with newer AWS CLI version starting at version 2.

To learn more about AWS CLI version 2, you may visit the link here

You can find all of this at the Connect using EC2 Instance Connect Endpoint to an instance AWS Documentation

Hands-on Lab: EC2 Instance Connect Endpoint

In this hands-on lab, I will setup an IAM user with specific IAM permission to use the EC2 Connect Endpoint service.
The architecture is compose of a Amazon VPC with two private subnet, a security group for each EC2 instance, and a EC2 Instance Connect Endpoint service.

Below is the procedure on how to setup the environment.

Launch an AWS CloudFormation Template: Inside the script, it will launch the following AWS services:
- Amazon VPC with two private subnets
- Security groups for EC2 Instance Connect Endpoint, and for each EC2 Linux Instances
- You may check out my CloudFormation template at my Github repositories.
Create an EC2 Instance Connect Endpoint:
Below is the steps on how to create an EC2 Instance Connect Endpoint.
- AWS Management Console
  - To create an EC2 Instance Connect Endpoint in AWS Management Console:
  - Go to Amazon VPC service > on the left side click Endpoints
  - On the Create endpoint page, enter any endpoint name, under Service category select EC2 Instance Connect Endpoint
  - Next, select the security group for EC2 Instance Connect Endpoint. You may check the recommended Inbound and Outbound rules at AWS Documentation
  - Select the VPC that was launched through CloudFormation Template > select the subnet where you want to place the EC2 Instance Connect Endpoint ENI (on my setup, I launched it to the private subnet)
  - After you've finished the configuration on the previous steps, click Create endpoint
- AWS CLI version 2: aws ec2 create-instance-connect-endpoint --region <specify_the_region> --subnet-id <specify_subnet> --security-group-ids <security_group_id>
- After the creation of EC2 Instance Connect Endpoint, wait for a couple of minutes to become Available the status.
Create an IAM user:
I will create another IAM user which will use the EC2 Instance Connect Endpoint.
- Username: demo_user
- Password: Auto-generated
- After the creation of IAM user, we will enable the AWS CLI by creating an access key and secret access key.
- Don't forget to download/save the credentials (username, password, access key, and secret access key) after the creation of IAM user.
Create an IAM Policy for the IAM user:
Below is the IAM Policy that we will be using. After the creation of IAM policy, we will assign this to the IAM user that we create on the previous step.
- Note: In the IAM Policy, please take note of the following:
- <ARN_of_EC2InstanceConnectEndpoint> - after you create the EC2 Instance Connect Endpoint, copy the ARN and paste it on the IAM policy
- <VPC_CIDR> - in this part, the connection is successfully established only if all the conditions are satisfied, for example, if the SSH connection is established on port 22 of the instance, if the private IP address of the instance lies within the range of (like for example 10.0.0.0/16)
- <IAM_username> - you will specify the IAM user who will use the EC2 Instance Connect Endpoint.
- <region_code> and <account_id> - specify the correct region code and account ID that the user will test the access to the EC2 instances using EC2 Instance Connect Endpoint.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:Describe*",
                "ec2:StartInstances",
                "ec2:Create*",
                "ec2:RunInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Resource": "<ARN_of_EC2InstanceConnectEndpoint>",
            "Condition": {
                "StringEquals": {
                    "aws:username": "<IAM_username>"
                },
                "IpAddress": {
                    "ec2-instance-connect:privateIpAddress": "<VPC_CIDR>"
                },
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                }
            }
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ec2-instance-connect:SendSSHPublicKey",
            "Resource": "arn:aws:ec2:<region_code>:<account_id>:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:osuser": "ec2-user"
                }
            }
        }
    ]
}

Testing
We will now test the EC2 Instance Connect Endpoint. To start the testing we will first create an EC2 instances. Second part, we will now go to the main testing through AWS CLI.

Create an EC2 instances: We will create two EC2 instances for our testing. The two instance will be launched on a separate private subnet. The creation of EC2 instances is very simple, the following configuration needs to be highlighted.
- Name: provide any name of the instance
- Key pair: select Proceed without a key pair
- Network settings:
  - VPC: select the VPC that was launched through CloudFormation template
  - Subnet: Since this is the first EC2 instance, we will select the <region_code-1a>
  - Firewall (security groups): choose Select existing security group > select the security group PrivSGForInstance1(this security group was included in our CloudFormation Template)
  - Click Launch instance
On the AWS Management Console, click AWS CloudShell (You can use any terminal but ensure that there's a AWS CLI version 2 installed to your terminal or in Microsoft Windows CMD/PowerShell)
- Inside the terminal/AWS CloudShell, you must first enter the following command:
  - Access Key ID: credentials of the IAM user that was created from the previous steps.
  - Secret Access Key: credentials of the IAM user that was created from the previous steps.
  - Default region name: specify the region_code that we will be working on _(in this lab it's us-east-1)_
  - Default output format: enter json
- Next, we will initiate either of this two command:
  - One click command: aws ec2-instance-connect ssh --instance-id <instance_id>
  - Open-tunnel command: ssh ec2-user@<instance_id>

If unsuccessful, go back to the previous steps and check if you miss some configuration.

If successful, you have access now to the EC2 instance that's in the private subnet (no public IPv4 address) and without a key pair.

Congratulations! You have successfully completed the lab.